Dependency Update Workflow
A structured approach for updating Python dependencies in this UV-managed project.
Prerequisites
- This project uses UV for dependency management (never pip directly)
- Dependencies are in
pyproject.tomlunder[project] dependenciesand[dependency-groups] dev - Django is pinned to 5.2.x LTS (
>=5.2.x,<6.0)
Step 1: Check Outdated Dependencies
uv pip list --outdated
This shows all outdated packages. Focus on top-level dependencies listed in pyproject.toml.
Step 2: Identify Unused Dependencies
For each suspicious dependency, search for actual usage:
# Check for imports
grep -r "from <package>|import <package>" src/
# Check if it's a transitive dependency
uv pip show <package> | grep -i "required-by"
Known Transitive Dependencies (safe to remove from explicit deps)
These are pulled in automatically by other packages:
multidict- transitive from aiohttp/aiogrampygments- transitive from mkdocs-material, pytest
Type Stubs Belong in Dev
Move types-* packages to [dependency-groups] dev, not production dependencies.
Step 3: Categorize Updates
Safe Updates (patch/minor, no breaking changes)
- Patch versions:
1.2.3→1.2.4 - Minor versions with good release notes:
1.2.x→1.3.x
Needs Review (major versions)
- Major bumps:
1.x→2.x - Check release notes/changelog before updating
Version-Pinned Dependencies
- Django: Keep at latest 5.2.x LTS (
>=5.2.x,<6.0) - Check classifier in pyproject.toml:
"Framework :: Django :: 5.2"
Step 4: Apply Updates
Edit pyproject.toml directly, then sync:
uv sync --dev
Step 5: Verify
Run all checks to ensure nothing broke:
make check
This runs: format, lint, mypy, i18n-check
Common Patterns
Remove Unused Dependency
- Search for usage:
grep -r "import <pkg>" src/ - Check reverse deps:
uv pip show <pkg> | grep Required-by - Remove from pyproject.toml
- Run
uv sync --dev
Move to Dev Dependencies
- Remove from
[project] dependencies - Add to
[dependency-groups] dev - Run
uv sync --dev
Pin to Major Version
# Allow patches within LTS
"django>=5.2.11,<6.0"
Dependencies Removed (2026-02-04)
For reference, these were removed as unused/transitive:
django-extension- typo (django-extensions already present)django-money- unusedfreezegunin prod - duplicate (already in dev)multidict- transitive from aiohttpninja-schema- unusedpyopenssl- unusedpygments- transitive from dev depstypes-tqdm- moved to devpiexif- moved to dev (only used in tests)